Hope M. Babcock 600 New Jersey AvenUe NW Angela J. Campbell Suite 312 Directors Washington, DC 20001-2075 Andrew Jay Schwartzman Telephone: 202-662-9535 Benton Senior Counselor Fax: 202-662-9634 James T. Graves Ariel Nelson Adam Riedel Staff Attorneys GEORGETOWN LAW INSTITUTE FOR PUBLIC REPRESENTATION October 3, 2018 VIA E-MAIL Donald S. Clark, Secretary of the Commission Andrew Smith, Director, Bureau of Consumer Protection Federal Trade Commission 600 Pennsylvania Avenue NW Washington, DC 20580 Dear Mr. Clark and Mr. Smith, Campaign for a Commercial-Free Childhood (CCFC), by its counsel, the Institute for PUblic Representation, together with the undersigned organizations, write to ask the Federal Trade Commission to investigate and take enforcement action against Facebook for violating the Children’s Online Privacy Protection Act. Facebook’s messaging application for children under 13, Messenger Kids, is the first major social media platform designed specifically for young children—as young as five years of age. Messenger Kids violates COPPA by collecting personal information from children without obtaining verifiable parental consent or providing parents with clear and complete disclosures of Facebook’s data practices. In January 2018, CCFC asked Facebook to discontinue its Messenger Kids app because of the developmental risks it poses to children. In a letter signed by 118 public health advocates and organizations, CCFC said “a growing body of research demonstrates that excessive use of digital devices and social media is harmful to children and teens, making it very likely this new app will undermine children’s healthy development.”1 In addition to these serious child development issues, Facebook’s Messenger Kids application does not comply with COPPA—despite Facebook’s claims to the contrary.2 Messenger Kids 1 Letter from Campaign for a Commercial-Free Childhood et al. to Mark Zuckerberg, Facebook (Jan. 30, 2018), http://www.commercialfreechildhood.org/sites/default/files/devel- generate/gaw/FBMessengerKids.pdf. 2 Messenger Kids, https://messengerkids.com/ (“Is Messenger Kids COPPA compliant? Yes. Messenger Kids is designed to be compliant with important child privacy laws like the Children’s Online Privacy Protection Act (COPPA).”). falls short of COPPA compliance in at least two ways. First, the application’s parental consent mechanism is not reasonably calculated to ensure that the person providing consent is the child’s parent—or even an adult. In fact, it employs a mechanism similar to one that the FTC has previously rejected. Second, Facebook’s privacy notice for Messenger Kids3 is confusing and incomplete, preventing parents from making informed decisions about whether to allow Facebook to collect their children’s sensitive personal information. A. Facebook Messenger Kids does not have a COPPA-compliant mechanism for obtaining verifiable parental consent. COPPA requires operators of online services directed at children to obtain verifiable parental consent before collecting, using, or disclosing sensitive information about children under 13.4 The consent mechanism must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.5 Messenger Kids does not meet this requirement. The Messenger Kids application allows anyone who has a Facebook account and claims to be an adult to create and “verify” an account for a child. The verification process works as follows: After the app is downloaded to a child’s device, someone (ostensibly the child’s parent) authenticates to the app with his or her Facebook username and password. That person can then create an account for the child and add contacts to the child’s contact list through the “parent’s” own Facebook account.6 The child is then able to send messages to the person who created the account and any of the child’s contacts. This method is not “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.”7 The only prerequisites to creating a Messenger Kids account for a child are a Facebook account of a user who claims to be 18 or older and physical access to a child’s device. Because Facebook does not verify ages, the mere existence of a Facebook account is insufficient to establish that a person is an adult, much less that the supposed adult is a child’s parent or guardian. The FTC has previously denied approval for a similar “verifiable parental consent” mechanism under COPPA.8 In 2013, the FTC rejected the application of AssertID, which proposed to use Facebook’s social graph as a method of authentication. AssertID’s product would have “ask[ed] a parent’s ‘friends’ on a social network to verify the identity of the parent and the existence of the parent-child relationship.” The method would have been “premised on verification by a 3 Facebook, Messenger Kids Privacy Policy (Dec. 4, 2017), https://www.facebook.com/legal/messengerkids/privacypolicy. 4 15 U.S.C. § 6502(b)(1)(A)(ii). 5 16 C.F.R. § 312.4. 6 Messenger Kids, https://messengerkids.com/. 7 16 C.F.R. § 312.5(b)(1). 8 Under 16 C.F.R. § 312.12, companies may apply for the Commission’s approval of parental consent mechanisms not enumerated in Section 312.5(b). 2 minimum number of verifiers” and would have required “that a minimum ‘trust score’ be met” for approval.9 The Commission held that approval would be premature “without relevant research or marketplace evidence demonstrating the efficacy of social-graph verification and that such a method is reasonably calculated to ensure the person providing consent is the child’s parent.” The Commission was also “persuaded by commenters’ concerns about the reliability of social- graph verification.” It recognized that “users can easily fabricate Facebook profiles,” noted that about 8.7% of Facebook’s accounts at the time were fake, and cited comments “highlighting the fact that children under 13 have falsified their age information to establish social media accounts, including very active accounts with significant age-inflation.”10 Facebook’s parental consent mechanism for Messenger Kids is even less trustworthy than what AssertID proposed. Instead of relying on a person’s social graph, Facebook relies solely on a single user’s unverified assertions. As was the case with AssertID, Facebook has not shown any research or evidence that its verification method is reasonably calculated to ensure that the person providing consent is the child’s parent—or is even an adult. Five years after the FTC rejected AssertID’s application, Facebook still cannot prevent fake accounts. Facebook reported last year that up to 270 million users were either “user- misclassified and undesirable” or duplicates of real accounts.11 It is easy enough to create fake accounts that Russia used hundreds of them to interfere with the 2016 election.12 Our own testing shows that it is not difficult to create a fake account that can approve a Messenger Kids user. We created a brand new Facebook account for a fictional 18 year-old. We then used that account to approve a fictional Messenger Kids user. The entire process took five minutes. What the FTC found in 2013 is still true: a Facebook account is insufficient to ensure that a person providing consent is the child's parent. 9 Letter from Donald S. Clark, Secretary, FTC, to Keith Dennis, President, AssertID, Inc., FTC Matter No. P135415 (Nov. 12, 2013), https://www.ftc.gov/sites/default/files/attachments/press- releases/ftc-denies-assertids-application-proposed-coppa-verifiable-parental-consent- method/131113assertid.pdf. 10 Id. 11 James Titcomb, Facebook Admits up to 270m Users are Fake and Duplicate Accounts, Telegraph (U.K.) (Nov. 2, 2017), https://www.telegraph.co.uk/technology/2017/11/02/facebook- admits-270m-users-fake-duplicate-accounts/ 12 Scott Shane, The Fake Americans Russia Created to Influence the Election, N.Y. Times (Sept. 7, 2017), https://www.nytimes.com/2017/09/07/us/politics/russia-facebook-twitter- election.html. 3 B. Facebook’s privacy policy for Messenger Kids is confusing and incomplete The COPPA Rule also requires that notice to parents “must be clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory material.”13 Facebook’s notice fails this standard for two reasons. First, the notice is not clearly written or complete because it does not adequately inform parents about Facebook’s data-sharing practices. Second, the policy is incomplete because it does not clearly disclose how long Facebook retains children’s data. Facebook’s privacy notice includes the following description of its third-party disclosure policy: Our vendors and service providers. We may transfer information we collect to third party service providers that support our business, such as companies that provide technical infrastructure or support (like a content delivery network), provide customer service, or analyze how Messenger Kids is being used to help us improve the service. Facebook Family of Companies. Messenger Kids is part of Facebook, and we may share the information we collect in Messenger Kids within the family of companies that are part of Facebook to support the uses described above, and to improve the services provided by the FB family of companies. For example, parents use Facebook Messenger to communicate with their children on Messenger Kids, and Facebook uses information from Messenger Kids to support seamless cross-service communication.14 This language is vague and incomplete. It states that Facebook may transfer information to third parties to “support [its] business.” That phrase might be interpreted to cover almost anything, including transfers to advertising networks, data brokers, and analytics firms. Although Facebook lists non-exclusive examples of service providers that would support Facebook’s business, those examples could be interpreted narrowly or broadly. A parent reading that policy might reasonably assume a narrower interpretation of “support our business” while Facebook takes a broader view of the term.